cbcvebase.
CVE-2025-53558
published 2025-07-31

CVE-2025-53558: ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log…

PriorityP277high8.7CVSS 4.0
AVAACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
1.29%
66.7th percentile
ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices.

Affected

2 ranges
VendorProductVersion rangeFixed in
zte_japan_k.kzxhn-f660a
zte_japan_k.kzxhn-f660t

Detection & IOCsextracted from sources · hover to see the quote

otherusername: admin / password: admin
url/start.ghtml
path/
commandfrashnum=&action=login&Frm_Logintoken=0&Username=admin&Password=admin
  • Detect login attempts to ZTE ZXHN-F660T/F660A using default credentials by monitoring POST requests to '/' with body containing 'action=login&Frm_Logintoken=0' and default username/password 'admin:admin'.
  • Successful exploitation results in an HTTP 302 redirect to '/start.ghtml'; monitor for this redirect following a login POST to identify successful default-credential logins.
  • Shodan query 'title:"F660"' can be used to identify exposed ZTE F660 devices on the internet.
  • Absence of 'wrong username' or 'User information is error' in the response body, combined with a 302 redirect to '/start.ghtml', confirms successful authentication with default credentials.
  • ·The vulnerability affects ZXHN-F660T and ZXHN-F660A devices specifically provided by ZTE Japan K.K.; scope may not extend to all ZTE F660 variants globally.
  • ·The login form uses a fixed token field 'Frm_Logintoken=0'; detection rules should account for this static value as part of the attack pattern.

CVSS provenance

nvdv4.08.7HIGHCVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv3.08.8HIGHCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.